X509_cmp_time: only return 1, 0, -1.

The behaviour of X509_cmp_time used to be undocumented.

The new behaviour, documented in master, is to return only 0, 1, or -1.
Make the code in the other branches to adhere to this behaviour too,
to reduce confusion. There is nothing to be gained from returning
other values.

Fixes GH#4954

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4955)

(cherry picked from commit 48345917747a34feea3da2936994a265c7f2ca11)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b1472018baf75c9efc0e7e8e1f3648d298bc4609..ff238331e6821efe24860522765825fad2095bf2 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2046,10 +2046,11 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
             return 1;
     }
     i = strcmp(buff1, buff2);
-    if (i == 0)                 /* wait a second then return younger :-) */
-        return -1;
-    else
-        return i;
+    /*
+     * X509_cmp_time comparison is <=.
+     * The return value 0 is reserved for errors.
+     */
+    return i > 0 ? 1 : -1;
 }
 
 ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)